hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Kocher <dkoc...@sudo.ch>
Subject Re: Preemptive authentication examples wrong
Date Fri, 26 Aug 2011 10:23:32 GMT
On 24.08.2011, at 20:40, Oleg Kalnichevski wrote:

> On Wed, 2011-08-24 at 16:46 +0000, Fredrik Jonson wrote:
>> Oleg Kalnichevski wrote:
>> 
>>> I contend that preemptive authentication is conceptually flawed and poses
>>> major security risks in the overwhelming majority of cases.
>> 
>> What is it that is conceptually flawed with using preemtive authentication,
>> when you with certainty know the http request that is about to be performed
>> always will require authentication?
>> 
> 
> The overhead of letting the first request in a session to get challenged
> by the origin server and caching the authentication state for the rest
> of the session is virtually negligible. The whole idea of using
> preemptive authentication to order to save one HTTP round-trip is a
> complete and utter idiocy. 

A common scenario where this is not possible is when the server does not support 100-continue
expectation and the the PUT request entity is not repeatable.

> 
>> And what are these major security risks involved in using preemtive
>> authentication against known and secured adresses?
>> 
> 
> If you control both ends probably none, as long as everything stays
> constant. But it only takes a small configuration mistake on the client
> side or a wrong redirect on the server side to get your credentials sent
> to a wrong site in _clear_ text. I have seen that happen too many times.
> 
> Oleg  
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
> 


Mime
View raw message